05-10-2012 10:11 AM
Hi,
I have an Ironport set up with my 6500 through WCCP.
It seems to be working ok, but I have a question.
Right now, I'm only redirecting a specific VLAN (let's say 40).
I can filter the traffic ok, but I'm seeing the it's also redirecting traffic inter vlan (from VLAN 100 to 40, for example).
Is there a way to exclude this traffic?
Thanks in advance for any help.
05-12-2012 08:39 AM
Hi,
basically the router decides what to redirect. Within your e.g. access-list you can define what to redirect (and what not). Would you mind to include your wccp config parts?
-Stephan
05-15-2012 03:14 AM
This is the access-list I'm using.
Each line corresponds to a different VLAN.
Extended IP access list IRONPORT
10 permit tcp 10.180.4.0 0.0.0.255 any (8 matches)
20 permit tcp 10.180.2.0 0.0.1.255 any (3 matches)
30 permit tcp 10.180.1.0 0.0.0.255 any
40 permit tcp 10.180.11.0 0.0.0.255 any
50 permit tcp 10.180.5.0 0.0.0.255 any
60 permit tcp 10.180.6.0 0.0.0.255 any
70 permit tcp 10.180.7.0 0.0.0.255 any
80 permit tcp 10.180.8.0 0.0.0.255 any
90 permit tcp 10.180.9.0 0.0.0.255 any
Then I have a "ip wccp redirect in" in each VLAN I want to inspect traffic.
Is it best to just have this line on the interface connected to the router that leaves our LAN?
We have a MPLS network from our provider, that connects to remote sites.
Can I exclude this sites from inspection with "deny" commands on the access-list?
05-15-2012 04:17 AM
Yes, it would be best to put that on the port going to the router, though in that case, you want that traffic redirected on egress from the port, instead of ingress.
Yes, you can exclude traffic by using deny statements in the access list. In fact, if you move the redirect to the port, you'll want one to exclude traffic from the WSA from being redirected to itself.
Ken
05-15-2012 05:01 AM
As the router is always the source for the redirection, I would suggest to exclude the according IP addresses from being redirected in the fist place (access-list modified to deny for the particular traffic).
Another way is to use the proxy bypass list which will make advantage of the WCCPv2 protocol to return the SYN packet to the router to indicate to bypass the entire session afterward directly at the router (this is all implemented inside wccp, so nothing to configure further). This solutions is probably more convenient to maintain, however creates a little overhead as the initial SYN packet has to go back and forth to the WSA proxy.
I would advice to only use IP addresses on the Proxy Bypass list as it will be anyway only used to build an IP access-list.
In your case you would have to exclude each other's vlan subnets to assure its being router directly.
-Stephan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: